Enable Workload Identity on GKE¶
This section will guide you though enabling Workload Identity feature on your GKE cluster which is necessary for running Arrikto Enterprise Kubeflow.
Note
If your cluster and node-pools already have Workload Identity enabled you may proceed to the Verify section.
Overview
What You’ll Need¶
- A configured management environment.
- An existing GKE cluster.
- Access to the GKE cluster.
Procedure¶
To enable Workload Identity on an existing cluster, modify the cluster with the following commands:
Update your cluster to enable Workload Identity:
root@rok-tools:~# gcloud container clusters update ${GKE_CLUSTER?} \ > --workload-pool=${PROJECT_ID?}.svc.id.goog Updating arrikto-cluster...done.Update all node pools to enable Workload Identity:
root@rok-tools:~# gcloud container node-pools list --cluster ${GKE_CLUSTER?} \ > --format="value(name)" | xargs -n1 -I{} \ > gcloud container node-pools update {} --cluster ${GKE_CLUSTER?} \ > --workload-metadata=GKE_METADATA Updating node pool default-workers...Important
The above will trigger node upgrades so it may take a while.
Verify¶
Ensure your cluster has Workload Identity enabled:
root@rok-tools:~# gcloud container clusters describe ${GKE_CLUSTER?} \ > --format="value(workloadIdentityConfig)" workloadPool=myproject.svc.id.googEnsure that your node pools have Workload Identity enabled:
root@rok-tools:~# gcloud container node-pools list --cluster ${GKE_CLUSTER?} \ > --format="value(name)" | xargs -n1 -I{} \ > gcloud container node-pools describe {} --cluster ${GKE_CLUSTER?} \ > --format="value(name,config.workloadMetadataConfig.mode)" default-workers GKE_METADATA